TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

621

622

623

624

625

626

627

628

629

630

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

629

Signature ID: 29083

Worm Bagle.BB

Threat Level: Information

Signature Description: Worm Bagle.BB is a worm that spreads via e-mail. Rather than putting itself in e-mail

attachments, it uses a separate downloader component (called Win32.Glieder.Q.), which attempts to download and run

files from several hard-coded URLs. If the Bagle.BB program is placed in one of these URLs, it can spread as a two-

stage e-mail worm. Bagle.BB is a 29,700-byte executable, packed with PEX. This signature detects inbound worm

traffic.

Signature ID: 29084

Worm Bagle.CJ

Threat Level: Information

Signature Description: Worm Bagle.CJ is a worm that spreads via e-mail. Rather than putting itself in e-mail

attachments, it uses a separate downloader component (called Win32.Glieder.BO), which attempts to download and run

files from several hard-coded URLs. If the Bagle.CJ program is placed in one of these URLs, it can spread as a two-

stage e-mail worm.

Signature ID: 29087

Worm Bagle.DK

Threat Level: Information

Signature Description: Worm Bagle.DK is a worm that spreads via e-mail. Rather than putting itself in e-mail

attachments, it uses a separate downloader component (called Win32.Glieder.BS), which attempts to download and run

files from several hard-coded URLs. If the Bagle.DK program is placed in one of these URLs, it can spread as a two-

stage e-mail worm.

Signature ID: 29088

Worm Bagle.EO/Bagle.EP

Threat Level: Information

Signature Description: Bagle.EO/Bagle.EP comes by spammed e-mails. When the file is run, iit copies itself as

ANTI_TROJ.EXE file to Windows System folder and creates a startup key for this file in the Registry. Then the

downloader tries to download a file from several different sites and to activate it. This signature triggers for INbound

malformed SMTP packets.

Signature ID: 29089

Worm Bagle.EO/Bagle.EP

Threat Level: Information

Signature Description: Bagle.EO/Bagle.EP comes by spammed e-mails. When the file is run, iit copies itself as

ANTI_TROJ.EXE file to Windows System folder and creates a startup key for this file in the Registry. Then the

downloader tries to download a file from several different sites and to activate it. This signature triggers for Outbound

malformed SMTP packets.

Signature ID: 29090

Worm Bagle.ES/Bagle.ET

Threat Level: Information

Signature Description: Worm Bagle.ES/Bagl.ET comes through spammed e-mails as a zip file attachment. When the

file is run, it copies itself as ANTI_TROJ.EXE file to Windows System folder and creates a startup key for this file in

the Registry. Then the downloader tries to download a file from several different sites and to activate it